This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dissector for q931 over iua (wrong interface identifier type - integer vs text)

0

Hi all!

My capture of "q931 over iua over sctp" traffic is displayed incorrectly because at q921 layer my equipment sends "Interface identifier" parameter tag = 1 (integer), but parameter length is 37 (must be 8 for integer according to RFC 3057; might be anything else if parameter tag = 3 (text)). Since that everything below this point interpretes as malformed IUA packet. I can do nothing with my equipment (in fact it works!), but I want to be able to capture and analyze signalling traffic.

My question is - is there a way to ignore this misbehavior and analyze the rest of the packet with offset equal to parameter length (a way other than writing alternate dissector for IUA)?

I use wireshark Version 2.0.3 (v2.0.3-0-geed34f0 from master-2.0) on windows 8.1.

Appreciate any help! Dmitry

asked 17 May '16, 05:33

dmitryd's gravatar image

dmitryd
11113
accept rate: 0%

One Answer:

0

Wireshark can't natively do this. Either:

  1. Get the equipment (which works incorrectly) to output the correct tag
  2. Use a tool to process the packets and correct the tag
  3. Build your own Wireshark, where you can patch the dissector

answered 17 May '16, 07:23

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

1

Jaap, thank you for your quick answer!

Finally, it took some time reading and then following very exact instructions (thanks to guys who wrote wireshark documentations!) of how to build wireshark from src code on windows. But after all, with some changes in original dissector it worked!

Dmitry

(25 May '16, 01:32) dmitryd